A blog about Cyber Security & Compliance

Month

October 2011

Information Commissioner issues guidance on giving access to information held in complaint files.

What is this guidance for?

It is to help all organisations that hold complaint files to deal with requests for access to personal information held in them. This guidance deals with the issues that arise when an individual makes a subject access requests under the Data Protection Act (DPA) for access to their own personal data. It also deals with the issues that arise when a third party makes a Freedom of Information Act (FOIA) request to a public authority for access to personal data about somebody else held in a complaint file.

This guidance will help your organisation:

to decide whether information in a complaint file is personal data, and if so whose personal data it is,

to work out who gets access to which data if one of the parties whose personal data is contained in a complaint file makes a subject access request, and

to decide how personal data held in a complaint file should be dealt with if a freedom of information request is made to a public authority.

The guidance focuses on whether information is personal data, and if so, whether its disclosure to a third party would be reasonable in all the circumstances (DPA s.7(4)) or would breach the data protection principles (FOIA s.40). It does not address all the other exemptions that might be relevant when someone makes a request for access to the information contained in a complaint file.

This guidance consists of an analysis of the content of a set of typical complaint files. It is based on the sort of organisations may have to deal with in reality. It avoids detailed legal exposition but should help its readers to understand the law and to deal properly with access requests. This guidance gives practical illustration to the ICO’s ‘Determining what is personal data’ Technical Guidance note.